DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to amendment filed on 03/17/2021. After the examiner’s amendment shown below, claims 1, 9 and 18 are independent. Claims 10, 12, 14 and 20 are cancelled. Claims 2-9, 11, 13 and 15-19 are amended. Thus, claims 1-9, 11, 13 and 15-19 are pending and being considered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/11/2021 and 06/10/2021 were filed on or after the mailing date of the application no.15/479,650 on 04/05/2017.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner and an initialed and dated copy of Applicant’s IDS forms 1449 filed on 03/11/2021 and 06/10/2021 are attached to the instant office action.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
the applicant’s representative- Mr. Leon Fortin Jr. (Reg. No. 60,589) on 6/17/2021. The summary of the interview is attached.

Amendments to the Claims
The application has been amended as followed:
1. (Previously Presented) A computer program product for protecting against malicious network activity in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a processor of an endpoint operated by an end user in the enterprise network, performs the steps of: 
detecting a connection initiated from an application executing on the endpoint in the enterprise network to a network address outside the enterprise network; 
receiving a reputation of the application that is based on a first reputation lookup at the threat management facility for the enterprise network; 
receiving a reputation of the network address that is based on a second reputation lookup at the threat management facility; 
determining a network usage history for the application using a log of network activity maintained on the endpoint, the network usage history providing a general pattern of usage associated with the application on the endpoint, the general pattern of usage including a list of URLs associated with historic usage for the application on the endpoint; 
evaluating the endpoint for a compromised condition based on the reputation of the application, the reputation of the network address, and the network usage history for 
initiating remediation action on the endpoint when the compromised condition is detected.  

2. (Currently Amended) The computer program product of claim 1, wherein the reputation of the application is at least one of known malicious, suspect, unknown, or known good.  

3. (Currently Amended) The computer program product of claim 1, wherein the reputation of the network address is at least one of known malicious, suspect, unknown, or known good.  

4. (Currently Amended) The computer program product of claim 1, wherein the reputation of the network address is based on crowd-sourced information about the network address.  

5. (Currently Amended) The computer program product of claim 1, further comprising code that performs the step of monitoring network activity by the application and storing the network usage history for the application in the log of network activity maintained on the endpoint.  

, further comprising code that performs the step of associating a network communication to the network address by a service executing on the endpoint with the application when the application controls the network communication, and adding the network communication to the network usage history for the application.  

7. (Currently Amended) The computer program product of claim 1, wherein the one or more computing devices include the endpoint.  

8. (Currently Amended) The computer program product of claim 1, wherein the one or more computing devices include the threat management facility.  

9. (Currently Amended) A method performed by computing circuitry of an endpoint user device, the method comprising: 
detecting a connection initiated from an application executing on an endpoint in an enterprise network to a network address; 
receiving, by using the computing circuitry of the endpoint user device, a reputation of the application using the connection, wherein the reputation of the application is requested from a threat management facility for the enterprise network; 
receiving a reputation of the network address, wherein the reputation of the network address is requested from a threat management facility for the enterprise network; 
determining a network usage history for the application using a log of network activity maintained on the endpoint user device, the network usage history providing a general pattern of usage associated with the application on the endpoint, the 
evaluating the endpoint for a compromised condition based on the reputation of the application, the reputation of the network address, and the network usage history for the application, including at least a determination by the computing circuitry of whether the network address in the connection initiated from the application is outside historic usage for the application on the endpoint based on whether the network address is included on the list of URLs for resources outside the enterprise network that are associated with the historic usage for the application on the endpoint; and 
initiating remediation action on the endpoint when the compromised condition is detected.  

10. (Cancelled) 

11. (Currently Amended) The method of claim 9, wherein the reputation of the application is at least one of known malicious, suspect, unknown, or known good.  

12. (Cancelled)  

13. (Currently Amended) The method of claim 9, wherein the reputation of the network address is at least one of known malicious, suspect, unknown, or known good.  

14. (Cancelled) 

15. (Currently Amended) The method of claim 9, wherein the reputation of the network address is based on crowd-sourced information about the network address.  

16. (Currently Amended) The method of claim 9, further comprising monitoring network activity by the application and storing the network usage history for the application in a log on the endpoint.  

17. (Currently Amended) The method of claim 16, further comprising associating a network communication to the network address by a service executing on the endpoint with the application when the application controls the network communication, and adding the network communication to the network usage history for the application.  

18. (Currently Amended) A threat management system comprising:
a network interface for coupling the threat management facility to the enterprise network; 
a memory; and 
a processor configured by computer executable code stored in the memory to protect against malicious network activity in the enterprise network by performing the steps of: 
detecting a connection initiated from an application executing on an end user endpoint in the enterprise network to a network address, 
determining a reputation of the application using the connection, 
determining a reputation of the network address; and 
a local security agent of the end user endpoint configured by computer executable code stored in a second memory to perform the steps of: 
determining a network usage history for the application using a log of network activity maintained on the end user endpoint, the network usage history 
evaluating the endpoint for a compromised condition based on the reputation of the application, the reputation of the network address, and the network usage history for the application, including at least a determination of whether the network address in the connection initiated from the application is outside historic usage for the application on the endpoint based on whether the network address is included on the list of URLs for resources outside the enterprise network that are associated with the historic usage for the application Page 6 of 10EFS-WebPATENTS USSN 15/479,650SPHS-0109-P02 on the endpoint, and
initiating remediation action on the endpoint when the compromised condition is detected.  

19. (Currently Amended) The threat management system of claim 18, wherein the reputation of the application is at least one of known malicious, suspect, unknown, or known good and wherein the reputation of the network address is at least one of known malicious, suspect, unknown, or known good.  

20. (Cancelled) 

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
After further search and consideration, the claims 1-9, 11, 13 and 15-19 are allowed over the cited prior art(s) of record. 
The following references/prior arts disclose the general subject matter recited in the independent claims 1, 9 and 18 before/after the current amendment is made and/or submitted.
A.	Bishop; Michael G. (US 2014/0123279 A1), discloses to provide a dynamic quarantining for malware detection on computers and other electronic devices such as client electronic device, as depicted in Figs. 1-3, an example of system 100 for dynamic quarantining for malware detection. System 100 may be configured to execute monitor 102 to evaluate information, such as data 112, as to its malware status or reputation (such as software information 236 log contains software reputation information and network address information 248 log contains network address reputation information, wherein network address information log 248 may be indexed in any suitable manner, such as website address, domain or server name, internet protocol ("IP") address, or other indication of site 250 ((i.e., URLs associated with the network usage history for the application), as shown in reputation database 234 in Fig. 2. Further, system 100 may use a reputation server that may use any suitable mechanism or manner (i.e., by using reputation lookup, as shown in Fig. 3) of determining a reputation score or percentage of the software (application) and network address, as shown in Fig. 2. The information about potentially malicious application or network addresses is observed by various anti-malware clients 230, reputation server application 232 may receive such information and store it in reputation database 234 (which may include software information 236 log and network address information 248 log, as shown in Fig. 2). Based on rules, 
B.	Alperovitch; Dmitri et al. (US 2013/0247201 A1), discloses an application on an end-host, such as application module 20a, attempts to establish a connection with a remote host, either by initiating a connection to the remote host at 305a for an outbound connection or receiving a connection from the remote host at 305b for an inbound connection. A reputation query may then be sent to a reputation system or threat analysis host at 310.Wherein, the processing of the received reputation query at 405, as may be done at 315 of flowchart 300. The query may include the IP address and port of the end-host and of a remote host, a hash of the application attempting to initiate or accept a connection, and the transport protocol of the connection. The query can be processed and a response sent at 415. More particularly, the connection information may be analyzed to determine if the IP address of the end-host/remote host or the application hash is known to be associated with malicious activity at 420 and 425. Analysis of query patterns and existing reputation data may also be examined at 430 to identify potentially malicious connections in real-time.
C.	Ranum; Marcus J. et al. (US 20140013434 A1), discloses that a web application on the remotely scanned host (i.e., the endpoint) may be scanned to identify one or more external network addresses (or list of external URLs, links or other network addresses) to which the scanned web application points, whereby the remotely scanned host may be determined to link to malicious content if at 
D.	Buchanan; Kevin A. et al. (US 2015/0256431 A1), discloses to establish a reputation of the initiator/endpoint of the traffic flow, via reputation engine 230, based upon previous inspection(s), a reputation 520 is generated and associated with each initiator/endpoint (such as malicious, good or untrusted). Each initiator/endpoint in the database is associated with a snapshot of current application usage data (for current usage) and a historical usage data (for past usage). As an example, for an initiator/endpoint associated with source IP address 192.168.1.100 from the list of source IP addresses (i.e., URLs), current usage data 530 and corresponding historical usage data 540 are shown. If the initiator/endpoint (by virtue of a corresponding IP Address) is determined to be new, as shown at operation 410, then the corresponding traffic flow is automatically categorized as untrusted (by virtue of the initiator being unknown).
E.	Bettini et al. (US 20130227683 A1), relates to quantifying the risks of applications ("apps") for mobile devices. In some embodiments, quantifying the risks of apps for mobile devices includes receiving an application for a mobile device; performing an automated analysis of the application based on a risk profile; and generating a risk score based on the automated analysis of the application based on the risk profile. Wherein, quantifying the risks of apps for 
F.	Olinsky; Craig Philip (US 20170126720 A1), discloses that user operating client 101 may encounter online content that is unknown to the user, and may be undesirable, unsafe, or inappropriate for the user to view/visit. If the user decides to view or visit the online content, the user interface 120 can ping the system backend 100 with the address 124 of the online content so the system backend 100 can ascertain whether the online content is within the bounds of policies established for the client 101. For example, the system backend 100 can send an "Allow" or "Block" message 126 to the client 101 based on 1) whether the system backend 100 has reputation and/or category information about the online content and 2) policy information associated with the client 101. (The system backend 100 can use machine learning to create a new entry for address not already in the system, and begin tracking implicit user feedback for category and reputation characteristics for that address. Machine learning also works to update category and reputation information).
G.	Judge et al. (US 20120166808 A1), relates to an operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of 
H.	Beliga et al. (US 2012/0233694 A1), discloses the mitigation of malicious software in wireless networks and/or on mobile devices. A mobile malicious software mitigation component is provided that obtains an internet protocol address that is exhibiting malicious software behavior, a profile of the malicious software behavior, and a time of the malicious software behavior. The malicious software mitigation component can determine an identity of a mobile device that was assigned the internet protocol address during the time it was exhibiting malicious software behavior, and transmit the profile to the mobile device.
I.	Aysha Binte Ishfaq and Syed Ali Khayam (NPL: Performance Comparison of Four Anomaly Detectors in Detecting Self-Propagating Malware on Endpoints; IEEE 2008), this paper presents to detect malware on the network endpoints comprising home and office computers that have become the most prevalent and effective launch pads and carriers of malware infections. Moreover, endpoints represent the last (and sometimes the only effective) line of defense against the spread and detection of malware. Therefore, it is important that contemporary anomaly detectors’ performances be evaluated on endpoints and under high and low-rate worm propagation attacks. This paper compares the above four anomaly detection techniques using real endpoint and worm traffic data (i.e. IP addresses) collected on operational endpoints. 
J.	See the other cited prior arts.

For this reason, the specific claim limitations such as “evaluating the endpoint for a compromised condition based on the reputation of the application, the reputation of the network address, and the network usage history for the application, including at least a determination by the processor of whether the network address in the connection initiated from the application is outside historic usage for the application on the endpoint based on whether the network address is included on the list of URLs for resources outside the enterprise network that are associated with the historic usage for the application on the endpoint;” recited in the independent claims 1, 9 and 18 taken as whole are allowed.
The dependent claims 2-8, 11, 13, 15-17 and 19 which are dependent on the above independent claim(s) being further limiting to the independent claims, definite and enabled by the specification are also allowed.
Furthermore, the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). The grounds of claim rejection was reconsidered and withdrawn based on the substance of applicant’s amendments, remarks and arguments (see arguments/remarks, filed on 03/17/2021, pages 8-10), as such the reasons for allowance are in all probability evident from the record.	


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Mon-Fri: 8AM – 4PM. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO 

/ALI CHEEMA/
Examiner, Art Unit 2433

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498